b'     Office of Inspector General\n     Evaluation Report\n\n\n\n\nGOVERNMENT INFORMATION\n\n  SECURITY REFORM ACT\n\n\n\n      STATUS OF EPA\xe2\x80\x99s\n\n COMPUTER SECURITY PROGRAM\n\n\n    Audit Report Number: 2002-S-00017\n\n\n           September 16, 2002\n\x0cInspector General Division   Information Technology Audits\n Conducting the Evaluation     Division, Washington, D.C.\n\nRegions Covered              Agency-wide\n\nProgram Office Involved      Office of Environmental Information\n\nTeam Members                 James Rothwell\n                             Anita Mooney\n                             Chuck Dade\n                             Rudy Brevard\n                             Debbie Hunter\n                             Teresa Richardson\n                             Michael Young\n                             Neven Morcos\n                             Carolyn Bowers\n\x0c                     UlliTEO STATES ENVIRONMENTAL PROTECTION AGENCY\n                                       WAStiiNCTON. D.C. 20460\n\n\n\n\n                                            SEP 16 <002\nl!.II!:MORMDUM\n\nSUBJE.C T: \t Government tnfonnation Security Retbrm :\\ct: Status or\n             I!PA \'s Contputcr .Security Pn.)gram\n                 Report No. 2002\xc2\xb7 S-00017\n\nTO: \t            Chri"ine 1 odd \\Vl>itman\n                 Administrator\n\n\n\n        Auacbcd is our final Jq~Urt ~ntillc:d G(llv:mmcnt Information S~rily Reform Act: Statu:.\nr;fi:.\'PA \'s Computer s~cwriry Program. We pcrfom1cci this evaluation pursul:Ult to the Fiscal2001\nOcfense Aurhori:r.ation Act (PubJic Law 106-398)> i11cluding. TltJc X. subtitle G, ~\'(io.,umnenl\nTnf<Jrmatiun St\'.<\'.urity Rcfonn At\' (the Ac\'i). Om 6bjct.ti\\le~ v.;ere to provide au in~eper.dc:.ut\nevalui.ition oftbe Agency\'s information security program and pl\'acticcs. and lO d~termine \\\\\xc2\xb7hei11er\nit ha.\xe2\x80\xa2:; taken apprt1priatc concctivc actions jJt response to t1le Unix and 1\\o\\\xc2\xb7c ll reoonlme,ndalions\npr01.;id~   hy the Gcmcral Accouming Office (QAO!Ali\\\xc2\xb710-00..215, Fcmciam~ntul WeaJma.rses\nPlace EPA Dato am/ Oper\xc2\xa3~ri(}fL.:c at Rrsk).\n\n     The Office of Management and Budget (OM\'H) is-s ued ~pecitic r~port ing inslruL<liolls to\nCJ)~mc agencies could provide tesults in a consistent (nnn aud f()m)al. As !\'\\JGh. c~c,;b ofthe\nnumbcl\'e\\1 topks shown in the report relate~ to a :-:pr.ciJic agency responsibility out!ined in the AC\xc2\xb7t\nor 0~ CiH;ular A-ll, "\'Planning. Hudgcting, and Acqut~ltkm <If Ca~"\'i1al AS6cts.. ,.\n\n        We perfonned li~1d work hom Julle: 5, 1()0?. :hr...\xc2\xb7\xe2\x80\xa2\xe2\x80\xa2all July 30,2002, and followed g~.neruJ\n):..t;mdan:ls for conrlucrins audits, as jssued by the Comrtrolh:.r G~llt"Jal u( the Uu.ii<Xl St1:1tc~. We\nconducted our r~vie\\\\\xc2\xb7 primarily at the OIJicc of Environmcnhtl tnfonnation. Joc:atcd at J::PA\nHe.adquarteJs h1 WaslUngton, D.C. The cvalu::nit>n fcocuscd on rcsp<>nding to questions posod by\nQMB. W-e act:olnp\\\\;;Jhcd this by conduct\\ng inttrview\'5 W\\th ::appropria1e ,\\gcncy personnel and.\nwhere possjbJc. verifying their responses by anaJ)\'zing supponing documentation.\n\n     Jn aec.l)rdmlce wilh 1t1e OMB reporting_in.stntc.tions. I 3Jll forwarding this repon to you for\n:;uhmissicn, aJonr. with the Ageney~s required info rrnatiun, to the Director. OMD.\n\x0c                                                      2\n\n\n\n\n      . .Shtmlil ~tour s.tatl\'h:~ve any questions, p!6as;e t\\"!ve Chem ecrtt~\xc2\xa21 Pal Ilii ~ Dir~ctor, Busir.cM\nSysu:ms. at (202) 566\xc2\xb70894.\n\n\n\n                                                          -l.:....,~ L -1,...- C,_\n                                                           Nikki L. Tinsley             {)\n\nAttachment\nee:    Kimb~rly   T. ~elson, Chiefln((lnn.alion Q{{i~cr\n\x0c         GOVERNMENT INFORMATION SECURITY REFORM ACT:\n\n          STATUS OF EPA\xe2\x80\x99S COMPUTER SECURITY PROGRAM\n\n\n                                  Audit Report No. 2002-S-00017\n\nQuestion A.1\t   Identify the agency\xe2\x80\x99s total security funding as found in the agency\xe2\x80\x99s FY02 budget request, FY02\n                budget enacted, and the President\xe2\x80\x99s FY03 budget. This should include a breakdown of security\n                costs by each major operating division or bureau and include critical infrastructure protection\n                costs that apply to the protection of government operations and assets. Do not include funding\n                for critical infrastructure protection pertaining to lead agency responsibilities such as outreach\n                to industry and the public.\n\nInspectors General were not expected to respond to this question.\n\nQuestion A.2\t   Identify and describe as necessary the total number of programs and systems in the agency, the\n                total number of systems and programs reviewed by the program officials, CIOs, or IGs in both\n                last year\xe2\x80\x99s report (FY01) and this year\xe2\x80\x99s report (FY02) according to the format provided below.\n                Agencies should specify whether they used the NIST self-assessment guide or an agency\n                developed methodology. If the latter was used, confirm that all elements of the NIST guide\n                were addressed.\n\n\n                                                                            FY01              FY02\n                     a. Total number of agency programs                            24                24\n                     b. Total number of agency systems                            189\n                     c. Total number of programs reviewed                          24                24\n                     d. Total number of systems reviewed                          189\n\nThe Environmental Protection Agency (EPA) had not finalized its list of agency systems for FY02 by the\nend of our fieldwork. At that time, program and regional offices had been sent a list of systems for which\nthey were responsible. The Agency planned to finalize the actual list of reportable systems for FY02 by\nthe end of August 2002, after all programs and regions had submitted their assessments and/or\ndocumentation. Managers were asked to either perform an assessment on the systems or provide\ndocumentation as to why the systems should not be reported under the Government Information Security\nReform Act (GISRA).\n\nThe Agency deployed a web-enabled self-assessment tool that incorporates National Institute for\nStandards and Technology (NIST) Self-Assessment, Special Publication 800-26. This tool was the basis\nfor performing system assessments for FY02. EPA\xe2\x80\x99s Office of Environmental Information (OEI) stated\nit would perform a quality assurance review to determine the reasonableness and logic of the responses\nreceived.\n\n\n\n\n                                                                                        Report No. 2002-S-00017\n\x0cQuestion A.3    Identify all material weakness in policies, procedures, or practices as identified and required to\n                be reported under existing law. Identify the number of reported material weaknesses for FY01\n                and FY02, and the number of repeat weaknesses in FY02.\nFor FY01, the Agency reported Information Systems Security as a material weakness under the Federal\nManagers\xe2\x80\x99 Financial Integrity Act. In FY02, the OIG is recommending that Information Systems Security\nbe downgraded to an agency-level weakness due to the considerable progress EPA made in implementing\nits computer security program. There were no repeat weaknesses involving security issues.\n\nQuestion B.1    Identify and describe any specific steps taken by the agency head to clearly and unambiguously\n                set forth the Security Act\xe2\x80\x99s responsibilities and authorities for the agency CIO and program\n                officials. Specifically how are such steps implemented and enforced? Can a major operating\n                component of the agency make an IT investment decision without review by and concurrence of\n                the agency CIO?\n\nEPA\xe2\x80\x99s Administrator took steps to set forth the Security Act\'s responsibilities, as well as authorities for\nthe Agency\xe2\x80\x99s Chief Information Officer (CIO) and program officials. For example, in December 2001,\nEPA issued a revised Delegations Manual identifying CIO responsibilities and authority. As Chair of the\nQuality Information Council, the CIO actively participated during strategic management activities and\noperational planning efforts In addition, the CIO advised EPA\'s Administrator, via the advisement letter\nand Capital Planning and Investment Control (CPIC) proposals, on information resource implications of\nstrategic planning decisions and on the design, development, and implementation of information resources.\n\n\nIn June 2002, the CIO redelegated the following responsibilities to various OEI Directors:\n\n    \xe2\x80\xa2\t serve as Chair of the Agency\'s Data Integrity Collection Board;\n    \xe2\x80\xa2\t establish policies and procedures for the management and security of records, files and data;\n    \xe2\x80\xa2\t establish and maintain a continuing program for the management and security of records data and\n       files;\n    \xe2\x80\xa2\t establish policies and procedures for the management and security of information systems and\n       technology;\n    \xe2\x80\xa2\t approve the acquisition of information technology (IT) resources; and\n    \xe2\x80\xa2\t establish and maintain a continuing program for the management and security of information\n       systems and technology.\n\nAlso, the CIO monitors compliance with policies, procedures, and guidance through the annual\nassessment, which provides an update on the status of the Agency\'s security program. The annual\nassessment is reported to the Office of Management and Budget (OMB) each September. As a follow-\non activity to this annual assessment, the Agency identifies where improvements in the security program\ncan be made, develops detailed plans of action and milestones to implement these improvements, and\nreports progress to OMB on a quarterly basis.\n\nAs long as EPA strictly adheres to its CPIC policy, a major operating component of the agency cannot\nmake a major IT investment decision without review by and concurrence of the Agency\'s CIO. In May\n2002, EPA issued an interim policy that outlined the approval policy for IT investments. By June 2002,\n\n                                                        2\t                             Report No. 2002-S-00017\n\x0cmanagement superceded the interim policy with a final IT CPIC policy under EPA Order 2100.2A1. The\nOrder established the policy for assuring that IT resources are invested and managed to achieve high value\noutcomes at acceptable costs. The policy requires EPA Offices to submit proposals for IT investment(s)\nto the CIO. If approved, these investments will be funded from the submitting Office\xe2\x80\x99s budget. The CIO,\nin conjunction with the Chief Financial Officer, Senior Procurement Executive, and senior program officials\non the IT Investment Board, selects those investments recommended for funding in the Agency\xe2\x80\x99s budget.\nAfter the selection process is completed, the CIO sends an advisement letter to the Administrator that lists\nthe approved IT investments. The advisement letter also summarizes the number of total IT investment\nproposals reviewed, the number recommended for funding, and the number of proposals withdrawn from\nconsideration. We found that the approved investment proposals submitted to OMB in November 2001\nwere the same ones approved by the CIO in her September 2001 advisement memorandum. The OIG\nbelieves additional improvements can be made to EPA\xe2\x80\x99s CPIC and IT procurement processes and will\nissue findings in a report entitled EPA\xe2\x80\x99s Management of Information Technology Resources Under the\nClinger-Cohen Act.\n\nQuestion B.2    How does the head of the agency ensure that the agency\xe2\x80\x99s information security plan is practiced\n                throughout the life cycle of each agency system? During the reporting period, did the agency\n                head take any specific and direct actions to oversee the performance of 1) agency program\n                officials and 2) the CIO to verify that such officials are ensuring that security plans are up-to\xc2\xad\n                date and practiced throughout the lifecycle of each system?\n\nThe Agency head delegated to the CIO the responsibility of establishing and maintaining a continuing\nprogram for the management and security of records, files, data, and information systems and technology.\nIn June 2002, the CIO redelegated the task of ensuring system security plans are up-to-date and practiced\nthroughout the life cycle of each system to OEI\xe2\x80\x99s Director for Technology Operations and Planning\n(OTOP).\n\nEPA\xe2\x80\x99s current Life Cycle Management policy is outdated. In EPA\xe2\x80\x99s 2001 GISRA Report, OEI indicated\nit would be updating the life cycle policies and guidance. The updating of such policies is not complete.\nHowever, OEI indicated that it has a process underway to identify those IT policies needing to be created,\nupdated, or canceled in order to address gaps between what EPA\xe2\x80\x99s current IT policy collection is and\nwhat it should be from a best practices perspective. OEI expects to issue a multi-year plan for addressing\nthe gaps and updating EPA\xe2\x80\x99s IT policy by November 2002.\n\nThe Agency has not developed a dedicated process for ensuring that security plans of general support\nsystems and major applications are up-to-date and practiced throughout the life cycle of the system EPA\ncurrently ensures the existence of many, but not all, security plans through the CPIC, the National\nTechnology Services Division\xe2\x80\x99s (NTSD) Application Deployment Process, and a Security Plan\nIndependent Review Process. However, CPIC process reviews are limited to \xe2\x80\x9cMajor Agency Systems,\xe2\x80\x9d\nand NTSD\xe2\x80\x99s Application Deployment Process is limited to \xe2\x80\x9cMajor Agency Systems\xe2\x80\x9d or applications that\ncontain data defined as having a \xe2\x80\x9chigh\xe2\x80\x9d sensitivity level. Additionally, OEI indicated that the Security Plan\nIndependent Review Process includes \xe2\x80\x9ccompleteness\xe2\x80\x9d reviews of security plans submitted with CPIC\nproposals, as well as a comprehensive review and testing of four system security plans which OEI expects\nto complete next fiscal year. At this time, the Agency does not verify the existence of security plans for\nthose systems and applications that do not fall into these categories. In addition, and in\n\n                                                       3                               Report No. 2002-S-00017\n\x0c response to GISRA, EPA now requires all programs to perform assessments in accordance with NIST\nSpecial Publication 800-26. OEI management will compile and report the results of these assessments in\nthe Agency\xe2\x80\x99s GISRA report to OMB.\n\nQuestion B.3\t   How has the agency integrated its information and information technology security program\n                with its critical infrastructure protection responsibilities, and other security programs (e.g.,\n                continuity of operations, and physical and operational security)? (Sections 3534 (a)(1)(B) and\n                (b)(1) of the Security Act.) Does the agency have separate staffs devoted to other security\n                programs, are such programs under the authority of different agency officials, if so what specific\n                efforts have been taken by the agency head or other officials to eliminate unnecessary\n                duplication of overhead costs and ensure that policies and procedures are consistent and\n                complimentary across the various programs and disciplines?\n\nThe Agency is beginning to integrate its information and IT security program with its critical infrastructure\nprotection responsibilities. In EPA\xe2\x80\x99s Critical Infrastructure Protection Mitigation Plan, dated September\n21, 2001, the responsibilities for assessing and addressing vulnerabilities are aligned with each office\xe2\x80\x99s\noverall mission. The plan states that within EPA, the overall infrastructure assurance responsibilities are\nshared by the Office of Administration and Resources Management (OARM), the Office of Solid Waste\nand Emergency Response (OSWER), and the Office of Water (OW). Specifically, OARM maintains\nresponsibility for the Agency\xe2\x80\x99s physical and cyber infrastructure protection functions, while OSWER has\nemergency and remedial response obligations. OW is responsible for developing a water supply sector\nCritical Infrastructure Assurance Plan, and collaborating and coordinating efforts between the Federal\ngovernment and the private sector. In addition, the CIO is responsible for the development and execution\nof the information-related elements of OEI\xe2\x80\x99s Mitigation Plan.\n\nOther on-going reviews should also bring to light the effectiveness of EPA\xe2\x80\x99s actions thus far. For\nexample, the OIG is currently evaluating EPA\xe2\x80\x99s implementation activities for protecting its critical, cyber-\nbased infrastructure, under a review sponsored by the President\xe2\x80\x99s Council on Integrity and Efficiency\nregarding President Decision Directive (PDD) 63. Also, GAO is reviewing EPA\xe2\x80\x99s progress in protecting\nits critical cyber-based and physical infrastructures.\n\nEPA does have separate staffs devoted to other security programs and these programs are under the\nauthority of different Agency officials, as indicated by the Critical Infrastructure Protection Mitigation\nPlan. Based on the descriptions of the assigned responsibilities, the responsibilities do not appear to overlap\nor cause duplication of effort. Only one responsibility is shared by two offices - \xe2\x80\x9cWorking with Human\nResources to ensure requirement skills to support infrastructure protection program.\xe2\x80\x9d The Agency\nassigned the Assistant Administrators for OARM and OSWER this responsibility, and we believe it\nrepresents a shared responsibility rather than a duplication of effort.\n\nQuestion B.4\t   Has the agency undergone a Project Matrix review? If so, describe the steps the agency has\n                taken as a result of the review. If no, describe how the agency identifies its critical operations\n                and assets, their interdependencies and interrelationships, and how they secure those operations\n                and assets.\n\nThe Agency has essentially concluded step one of the three-step Project Matrix process by developing a\ndraft report identifying the Agency\xe2\x80\x99s critical assets under PDD 63. However, before the Project Matrix\nStep One Report can be finalized, it must undergo a quality assurance process to ensure that senior\n                                                       4\t                              Report No. 2002-S-00017\n\x0c executives agree with the findings. Once finalized, the Agency needs to complete vulnerability\nassessments and risk mitigation plans for its cyber-based assets. In addition, step two of the process needs\nto be officially authorized and implemented.\n\nQuestion B.5    How does the agency head ensure that the agency, including all components, has documented\n                procedures for reporting security incidents and sharing information regarding common\n                vulnerabilities? Identify and describe the procedures for external reporting to law enforcement\n                authorities and to the General Services Administration\xe2\x80\x99s Federal Computer Incident Response\n                Center (FedCIRC).\n\nThe Agency Head delegated to the CIO the responsibility for ensuring that EPA-documented procedures\nfor reporting security incidents and shared information regarding common vulnerabilities exist. The CIO, in\nturn, delegated this responsibility to OEI\xe2\x80\x99s Director for Technology, Operations and Planning in June 2002.\n\nEPA Directive 200.06, Computer Security Incident Response, dated January 31, 1996, is the Agency\xe2\x80\x99s\nofficial incident handling procedures document. In FY01, OEI indicated they were updating the Directive.\nManagement subsequently decided to out-source the Incident Handling Program function. Due to this\ndecision, they have given no date as to if and when they will revise Directive 200.06. OEI\xe2\x80\x99s Technical\nInformation Security Staff (TISS) have been assigned the lead in developing the Incident Handling\nrequirements that will be included in the OTOP contract.\n\nEPA\xe2\x80\x99s Procedures for sharing information regarding common vulnerabilities within the agency are as\nfollows:\n\n    1.\t TISS receives a FedCIRC and Computer Emergency Response Team Advisory and sends it to a\n        supporting contractor.\n    2.\t Contractor performs analysis of the scope and impact of the advisory.\n    3.\t Contractor returns the advisory to TISS, and TISS distributes to manager of affected platform.\n    4.\t The platform manager distributes the advisory to the appropriate operational division for remedy.\n    5.\t The operational division reports back to TISS, confirming that the remedy has been taken.\n\nThe CIO does not directly report incidents to external law enforcement agencies. Instead, incidents with\ncriminal ramifications are reported to the OIG\xe2\x80\x99s Computer Crimes Directorate (CCD). The CCD reports\nsuch incidents to external law enforcement authorities as they deem appropriate.\n\nAlthough FedCIRC recommends real-time reporting, it has not promulgated any formal procedures for\nreporting security incidents. In the absence of specific criteria, TISS prepared and submitted an incident\nhandling digest using data provided by EPA\xe2\x80\x99s NTSD. EPA discontinued submitting this digest at the end\nof September 2001, due to the lack of specific reporting requirements. As of July 2002, EPA resumed\nsharing a more condensed incident handling digest with FedCIRC.\n\nQuestion C.1    Have agency program officials: 1) assessed the risk to operations and assets under their control;\n                2) determined the level of security appropriate to protect such operations and assets;\n                3) maintained an up-to-date security plan (that is practiced throughout the life cycle) for each\n                system supporting the operations and assets under their control; and 4) tested and evaluated\n                security controls and techniques?\n\n\n                                                       5\t                             Report No. 2002-S-00017\n\x0cA survey of EPA\xe2\x80\x99s program offices disclosed that only 80% of offices had completed risk assessments for\nall assets and operations under their control. Likewise, only 80% of EPA\xe2\x80\x99s program offices are either in\nthe process of conducting or have completed testing and evaluating controls identified in the risk\nassessments. In our opinion, the 20% difference represents assets and systems that EPA did not label as\n\xe2\x80\x9cmajor applications\xe2\x80\x9d or \xe2\x80\x9cgeneral support systems\xe2\x80\x9d for GISRA reporting purposes. These applications\noperate on the Agency\xe2\x80\x99s network and pose inherent security risks. As such, they should undergo risk\nevaluation, whether conducted by OEI or the responsible program office.\n\nProgram offices indicated they determined the level of security appropriate to protect operations and\nassets. However, as stated above, not all IT systems had undergone risk assessments or had approved\nsecurity plans in place. We believe it is unlikely that adequate levels of security can be selected until the\nrisk assessments are completed. As a result, major IT systems could be placed into operation without an\nadequate level of security and could be prone to operational manipulation due to inadequately designed\ninternal controls. Representatives from OEI indicated that they instituted the NIST Self-Assessment tool\nfor the fiscal 2002 review cycle, and that all program offices were to have completed the evaluation by\nJuly 2002. OEI plans to capture weaknesses from these risk assessments, incorporate them in a Plan of\nActions & Milestones (POA&M), and track the milestones. Agency officials believe this approach will\ngive them more reliable data on risk assessments.\n\nAdditionally, our fieldwork disclosed that EPA needs to do more to bring its system security plans into\ncompliance with NIST requirements. We reviewed key data elements in EPA security plans and found\nthat 21% of them were not comprehensively addressed to meet the standards set forth in NIST Publication\n800-18, Guide for Developing Security Plans for Information Technology Systems. For example,\nsome Security Plans did not:\n\n    \xe2\x80\xa2   document the risk assessment methodology used to identify threats and vulnerabilities,\n    \xe2\x80\xa2   document security activities required for its current phase, or\n    \xe2\x80\xa2   describe contingency plan procedures.\n\nThis happened because EPA\'s security plan guidance predates revisions to NIST guidance and OMB\nA-130, Appendix III, which clearly describe and organize basic security plan requirements.\n\nQuestion C.2     For operations and assets under their control, have agency program officials used appropriate\n                 methods (e.g., audits or inspections) to ensure that contractor provided services (e.g., network or\n                 website operations) or services provided by another agency for their program and systems are\n                 adequately secure and meet the requirements of the Security Act, OMB policy and NIST\n                 guidance, national security policy, and agency policy?\n\nAs of July 22, 2002, except for the Toxic Substances Control Act (TSCA) program, we had not identified\nany audits or inspections accomplished by Agency program officials to ensure that contractor-provided\nservices or services provided by another agency for their program and systems were adequately secure\nand met regulatory requirements.\n\nThe TSCA program regularly audits/inspects contractors to verify that security standards are enforced.\nHowever, officials from EPA\xe2\x80\x99s Office for Prevention, Pesticides, and Toxic Substances stated that TSCA\n\n\n                                                         6                               Report No. 2002-S-00017\n\x0cis unique in that a law suit and court order require them to enforce security standards deemed by many to\nbe more stringent than necessary.\n\nQuestion D.1(1)       Has the agency CIO adequately maintained an agency-wide security program?\n\nWhile the agency has more work to do in this key area, they have issued or updated several security-\nrelated policies and procedures this fiscal year and plan to complete additional ones next year. We view\npolicies and procedures as a critical element to maintaining an agency-wide security program that is:\n\n     \xe2\x80\xa2\t   compliant with Federal regulations and standards, and industry best practices, and\n     \xe2\x80\xa2\t   implemented consistently throughout all parts of the organization\n\nAs such, in responding to this question, we focused on the Agency\xe2\x80\x99s efforts to issue or update security-\nrelated policies and procedures. The Agency identified the following security-related policies and\nprocedures that the CIO (through EPA\xe2\x80\x99s Office of Environmental Information) has issued or will issue in\nfiscal 2002 to adequately maintain agency wide security.\n\nCompleted in FY 02:\n\xe2\x80\xa2\t LAN Operating Procedures (LOPS) 2002.\n\n\xe2\x80\xa2\t   Network and Infrastructure Procedures \xe2\x80\x93 new and revised procedures, along with links to the\n     documents (described in deployment papers), for the Network can be found on the Network\n     Infrastructure Services Support Web Page.\n\n\xe2\x80\xa2\t   EPA Order 2100.2A1, entitled Information Technology Capital Planning and Investment Control,\n     dated 6/17/02. It revised an interim Order issued one month earlier.\n\n\xe2\x80\xa2\t   Standard Configuration Documents (SCDs) for the following Operating Systems:\n         T Sun Solaris 8.0\n         T RedHat LINUX 7.1\n         T Tru64 5.1\n\nWe found that all of the security-related policies and procedures identified as completed this fiscal year\nexisted and were issued or updated as management indicated. In addition, with the exception of the\nNetwork and Infrastructure Procedures, we found that all of the security-related policies and procedures\nidentified as completed this fiscal year were directly related to security.\n\nWith regard to the Network and Infrastructure procedures, we found that the Network Infrastructure\nServices Support Page does not differentiate whether the reason behind a service pack deployment is to\ncorrect a security shortcoming or to add other, non-security-related enhancements. This site provides a\nlink to the LOPS, as well as to various deployment papers and service packs for software used by EPA,\nsuch as Corel Word Perfect, Lotus Smart Suite, Netware, Norton Anti-Virus, Windows, etc. The site\nincludes a brief description and link to recent deployment papers, but these summaries do not specify\nwhether a security shortcoming is the purpose for the specific upgrades or service packs described.\n\n\n                                                       7\t                           Report No. 2002-S-00017\n\x0cCurrently Being Revised or Developed:\nSCDs for the following Operating Systems are still in progress:\n   T\t Sun Solaris 9.0\n   T\t RedHat LINUX 7.2 & 7.3\n   T\t Beowulf (LINUX) SCYLD\n   T\t AIX 5L\nThe following policies and procedures are also under development:\n   T\t Personal Use Policy\n   T\t Systems Life Cycle\n   T\t Personal Digital Assistants\n   T\t Background Checks for Visitors\n   T\t Updated Standards of Behavior\n\nWe were able to verify that all but one of the SCDs identified above were included on the SCD web page\nas \xe2\x80\x9cunder development & review.\xe2\x80\x9d As of July 18, 2002, the only SCD not listed was the one for Beowulf\n(LINUX) SCYLD. The web page was last updated June 17, 2002. We could not verify the status of\npolicies and procedures under development, as no web references or draft documentation were provided.\n\n\nQuestion D.1 (2)\t    Has the agency CIO ensured the effective implementation of the program and evaluated the\n                     performance of major agency components?\n\nOEI is beginning to establish some security oversight for EPA\xe2\x80\x99s complex information systems network.\nFor several years, in conjunction with the Federal Managers\xe2\x80\x99 Financial Integrity Act, the OIG has formally\nadvised EPA to centralize its security program and establish strong oversight processes to adequately\naddress risks and ensure the security of its information resources and environmental data. We found that\nOEI is performing some quality assurance and oversight activities to help ensure the effective\nimplementation of the security program and to evaluate the performance of major agency components.\nHowever, we believe the Agency needs to focus more on independent verification, validation, and\nenforcement of the implementation of its security program.\n\nOEI has accomplished very few oversight activities that independently verify and validate the\nimplementation of the security program thus far this fiscal year. Three of the four FY02 oversight\nactivities completed, as of July 30, 2002, were desk reviews of activities performed or information provided\nby program and regional offices. The three oversight activities were:\n\n    \xe2\x80\xa2\t   performing completeness reviews of security plans for all CPIC systems.\n    \xe2\x80\xa2\t   reviewing answers to security questions in CPIC systems and providing feedback on each\n\n         submission as well as recommendations for improving responses.\n\n    \xe2\x80\xa2\t   reviewing corrective action milestones submitted by program offices and regions to ensure they\n         adequately addressed the identified weaknesses.\n\nThe fourth oversight activity focused on independent verification and validation. This activity was the\nmonthly scan of UNIX and NT servers at the National Computer Center. Although OEI had completed\nvery few oversight activities of this type by the end of our field work, they had identified five oversight\nactivities which they are phasing in or planning to complete between July 30, 2002 and the end of FY03:\n\n                                                      8\t                            Report No. 2002-S-00017\n\x0c\xe2\x80\xa2\t   Testing a sample of EPA\xe2\x80\x99s Unix Servers . OEI expects to issue a draft report by September 27,\n     2002, but has not indicated when the final report will be completed.\n\n\xe2\x80\xa2\t   External Penetration Testing of Network. Testing includes scans from external sites and war\n     dialing. The draft report was issued on July 19, 2002. OEI did not include any planned date for the\n     completion of the final report.\n\n\xe2\x80\xa2\t   Quarterly Reports on Netware Servers. Quarterly scans of attached servers determine their\n     individual compliance with OEI-developed standards. OEI will issue quarterly status reports (score\n     cards) to Assistant Administrators (AA) and Regional Administrators (RA). OEI is currently phasing-\n     in this process to allow program and regional offices to get acclimated to the process and to provide a\n     larger window for achieving full compliance.\n\n     The Agency is already seeing improvement in its compliance with the OEI-developed standards for\n     Netware servers. We compared OEI\xe2\x80\x99s summary of EPA\xe2\x80\x99s weighted and curved compliance rates in\n     January/February 2002 to the rates achieved in May/June 2002, and found that the Agency showed\n     improvement in meeting Netware Server Standards. OEI applied several interim conditions while it\n     phased in the quarterly reporting process:\n     \xe2\x80\xa2\t added reports to monitor standards not previously monitored.\n     \xe2\x80\xa2\t weighted the percentage of compliance for new reports at half the weight of ongoing reports,\n         thereby allowing offices to become acclimated to the process. 1\n     \xe2\x80\xa2\t graded on a curve to allow offices more leeway to work on bringing systems into compliance. For\n         example, OEI counted a server as being compliant regarding system audit logs if it logged at least\n         40% of the events required in the OEI-developed standards.\n     \xe2\x80\xa2\t only ran Bindview reports against approximately 95% of its Netware servers, and did not reconcile\n         the list of servers against which they ran Bindview to the list of all of the Netware servers in the\n         Agency\xe2\x80\x99s Novell Directory Services Tree. 2\n\n\xe2\x80\xa2\t   Quarterly Scan of NT Servers. In October 2002, OEI plans to begin performing a quarterly scan of\n     all attached NT servers to determine compliance with OEI-developed standards.\n\n\xe2\x80\xa2\t   Comprehensive Review and Testing of Four System Security Plans. OEI plans to complete this\n     activity next fiscal year.\n\nConcerns regarding Oversight Reviews : To improve feedback received through its oversight\nprocesses, we believe the Agency needs to set higher criteria for contractor-performed evaluations. For\nexample, OEI hired a contractor to perform the Completeness Review of Security Plans for all the CPIC\nsystems. OEI asked the contractor to perform the review based solely on the Agency\xe2\x80\x99s Information\nSecurity Planning Guidance (ISPG), dated June 17, 1997. OEI did not require the contractor to use\n\n\n         1\n             Starting in August 2002, OEI stated it stopped weighting the compliance percentage.\n         2\n             Since conclusion of audit field work, OEI stated it will run Bindview reports against all\n             resources identified in the tree.\n\n                                                       9\t                            Report No. 2002-S-00017\n\x0ccurrent Federal regulations, standards, and industry best practices as criteria. As such, the contractor\xe2\x80\x99s\nfindings would not provide a completely accurate picture of the Agency\xe2\x80\x99s compliance with Federal\nrequirements. As the contractor pointed out in their recommendations to the Agency, the ISPG needs to\nbe brought into compliance with NIST.\nWe compared the OEI-developed Netware Standards: Netware Security Checklist to the latest LOPs\n(2002 version) and found that the LOPs does not contain all OEI-developed standards. OEI states that\nother Agency documents augment the LOPs, but we did not find evidence to support that all standards\nwere formalized requirements within other approved Agency policies, directives, or orders. As such,\nregional and program offices are not required to conform their Netware security settings, even if future\nquality assurance reviews were to identify specific shortcomings.\n\n    Suggestions for Improvement: OEI should:\n       (1)\t ensure that both in-house and contractor-performed reviews determine compliance using the\n             following criteria:\n             \xe2\x80\xa2 current Federal regulations and standards,\n             \xe2\x80\xa2 industry best practices, and\n             \xe2\x80\xa2 additional requirements that EPA has instituted.\n       (2)\t formally establish OEI-developed Netware Standards as official standards.\n\nQuality Reviews for Risk-Based Performance Measures: OEI is currently developing risk-based\nperformance measures that focus on outcomes rather than outputs. OEI provided a draft framework\nwhich they plan to use; however, it was still in the vision stage and did not contain specific details.\nTherefore, we did not have enough information to express an opinion on EPA\xe2\x80\x99s intended performance\nmeasures.\n\nOur review, however, disclosed one concern regarding the process itself. In our opinion, EPA\xe2\x80\x99s process\nrelies heavily on self-assessments and self-certifications, rather than on independent verification and\nvalidation. We believe that for the process to be successful in accurately measuring performance, it must\ninclude these additional components. Although such aspects were not part of the draft framework, OEI\nstated that it will apply some sort of quality assurance component. However, due to limited resources, OEI\nstated that it only will be able to verify a small portion of what it receives. OEI plans to accomplish its\nquality assurance plan in FY03.\n\nQuestion D.1 (3)\t   Has the agency CIO ensured the training of agency employees with significant security\n                    responsibilities?\n\nThe Agency cannot be assured that personnel with significant security responsibilities are sufficiently\ntrained because management has not yet identified which EPA employees have such responsibilities.\nOnce these personnel have been identified, EPA needs to assess security training needs based on assigned\nresponsibilities. We noted that OEI does not track how many EPA employees receive specialized security\ntraining; program offices are expected to obtain and track this data.\n\nThe Agency provided web-based security awareness training to all EPA employees in August 2001.\nAlthough the Agency can track which employees have completed this training, OEI officials could not\n\n\n\n                                                     10\t                            Report No. 2002-S-00017\n\x0c verify to us that all EPA employees have taken the training. At this point, EPA does not have\nstandardized procedures to ensure that new employees receive security awareness training.\n\nOEI has plans for several security training initiatives. For example, OEI has a subscription with the\nDepartment of Transportation\xe2\x80\x99s Virtual University (TVU) to a library of IT security-related courses. Per\nOEI, these courses are aligned with NIST Special Publication 800-16. Approximately 50 EPA employees\nhave begun taking these courses. For the balance of the calendar year, OEI plans to deploy: (1) the 2002\nversion of Information Security Awareness Training for all employees, (2) IT training sessions for\nexecutives and managers, and (3) security training (focused on NIST 800-16 requirements) for Information\nSecurity Officers (ISOs) through the TVU and the IRM College of the National Defense University.\nAlso, in August 2002, OEI provided security training to ISOs during the annual ISO Forum.\n\n    Suggestion for Improvement:\n    To establish a robust and effective security training program, OEI should:\n     \xe2\x80\xa2\t identify personnel with significant security responsibilities, and\n     \xe2\x80\xa2\t assess security training needs for those personnel.\n\nQuestion D.2     For operations and assets under their control (e.g., network operations), has the agency CIO\n                 used appropriate methods (e.g., audits or inspections) to ensure that contractor provided services\n                 (e.g., network or website operations) or services provided by another agency are adequately\n                 secure and meet the requirements of the Security Act, OMB policy and NIST guidance, national\n                 security policy, and agency policy?\n\nThe CIO has responsibility for a variety of contract services which support the Agency\xe2\x80\x99s enterprise\nnetwork operations, network security, and systems development activities:\n\n    \xe2\x80\xa2\t   National Computer Center (NCC),\n    \xe2\x80\xa2\t   National Wide Area Network,\n    \xe2\x80\xa2\t   Headquarters Local Area Network,\n    \xe2\x80\xa2\t   TRI Reporting Center,\n    \xe2\x80\xa2\t   Systems Development Center, and\n    \xe2\x80\xa2\t   Central Data Exchange.\n\nDuring fiscal 2002, the CIO took the following actions to ensure contractor-provided services were\nadequately secured and met the requirements of the Security Act:\n\n    \xe2\x80\xa2\t   conducted modem-based penetration testing using a \xe2\x80\x9cwar-dialer\xe2\x80\x9d technique at two key EPA\n         locations: EPA Headquarters and the NCC;\n    \xe2\x80\xa2\t   conducted Internet-based penetration testing against network assets located at the NCC;\n    \xe2\x80\xa2\t   conducted a \xe2\x80\x9ccompleteness\xe2\x80\x9d review of security plans for major applications and general support\n         systems identified in the CPIC proposals; and\n    \xe2\x80\xa2\t   implemented a program to regularly monitor Novell Netware security settings and provide\n\n         feedback to responsible EPA officials.\n\n\nIn our opinion, the CIO\xe2\x80\x99s actions seem appropriate for ensuring contractor services comply with the\nSecurity Act. However, at the end of field work, the penetration testing results were not finalized, so we\n\n                                                       11\t                              Report No. 2002-S-00017\n\x0ccould not review OEI\xe2\x80\x99s POA&M associated with identified weaknesses. In our opinion, the CIO must\nwork to finalize these results, and establish and monitor POA&Ms for identified weaknesses. Additionally,\nthe CIO should develop and implement strategies to address concerns regarding oversight reviews\nidentified in section D1.(2).\n\nQuestion D.3     Has the agency CIO fully integrated security into the agency\xe2\x80\x99s capital planning and investment\n                 control process? Were security requirements and costs reported on every FY03 capital asset\n                 plan (as well as in the exhibit 53) submitted by the agency to OMB? If no, why not?\n\nThe Agency has not fully integrated security into the Agency\xe2\x80\x99s CPIC process. Although EPA has made\nsignificant improvements, weaknesses remain in the areas of policy guidance, quality assurance, and\nsystems inventory.\n\n    \xe2\x80\xa2\t   EPA\xe2\x80\x99s recently-enacted CPIC policy does not reference existing Agency security requirements.\n         Although EPA\xe2\x80\x99s policy addresses security through a high-level reference to OMB Circular A-130,\n         Information Resources Management, it does not reference existing Agency security policies. As\n         it is written, the current CPIC policy does not include guidance with respect to integrating security\n         into the CPIC process.\n\n    \xe2\x80\xa2\t   EPA reported security costs for all projects on OMB Exhibit 53; however, EPA did not report\n         security requirements on every FY03 capital asset plan submitted by the Agency to OMB. Of the\n         46 capital asset plans submitted to OMB, 11 (24%) lacked an approved security plan and 3 (7%)\n         referenced security plans that had not been updated within the past three years. OEI explained\n         that, at the time of submission, risk assessments had not been completed for the 11 proposals\n         without security plans. In response to the draft report, OEI emphasized that the outstanding risk\n         assessments have been completed, and stated that all 39 systems in the fiscal 2004 capital asset\n         plan have security plans.\n\n    \xe2\x80\xa2\t   In response to an OIG draft report entitled EPA\xe2\x80\x99s Management of Information Technology\n         Resources Under the Clinger-Cohen Act, dated July 2, 2002, OEI indicated it will resolve the\n         systems inventory issue by establishing an Information Resources Registry System that will contain\n         all major and significant systems. The Agency expects to (1) complete prototype software for the\n         Registry by the end of FY02, and (2) populate the database with actual data by the end of FY03.\n\nSTATUS OF GAO SECURITY RECOMMENDATIONS\nWe conducted follow-up work to determine EPA\xe2\x80\x99s progress in implementing recommendations contained\nin GAO\xe2\x80\x99s report: GAO/AIMD-00-122, Information Security - Fundamental Weaknesses Place EPA\nData and Operations at Risk, dated June 2000. To date, we have reviewed 31 recommendations relating\nto the Unix Operating System and all 13 recommendations regarding Novell systems.\n\nStatus of Unix Recommendations :\nDuring this review cycle, we evaluated 31 GAO recommendations related to Unix. We met with agency\nofficials, analyzed system configuration files, and reviewed applicable network management polices and\n\n\n                                                      12\t                             Report No. 2002-S-00017\n\x0cprocedures. Additionally, we selected a sample of servers critical to EPA\xe2\x80\x99s top-level architecture (i.e.,\nFirewall, Intrusion Detection System, Domain Name Service, and Network Management Servers) and\nconducted limited confirmation testing using readily available network assessment tools.\n\nIn our opinion, EPA has taken appropriate steps to implement the GAO Unix recommendations. Based on\nsystem file reviews and confirmation tests, we found:\n\n    \xe2\x80\xa2\t   servers were properly configured according to the vendor\xe2\x80\x99s instructions and GAO\'s\n\n         recommendations.\n\n    \xe2\x80\xa2\t   no security holes.\n\nGAO recommendation number 71 required EPA to improve its incident handling practices. We found that\nEPA has made improvements in its incident handling practices, although we did not assess the efficiency\nand effectiveness of those practices. For example, EPA established sufficient policies to provide the\noverall direction for the incident handling program, and its ISOs have an understanding of their duties for\nreporting security incidents.\n\nStatus of Novell Recommendations :\nAs part of the 2001 GISRA review, we reviewed three of the 13 Novell (i.e., Netware) recommendations\nfrom GAO. These recommendations were fully implemented. During our 2002 GISRA review, we\nevaluated the status of the 10 remaining Novell recommendations. We reviewed a judgmental sample of\nEPA\xe2\x80\x99s regional and program offices to determine if management implemented GAO\xe2\x80\x99s recommendations\nor, at least, planned to establish compensating controls.\n\nWe used Bindview reports generated by OEI to assess the Agency\xe2\x80\x99s compliance with 6 of the 10 GAO\nrecommendations. EPA uses Bindview reports in support of their overall network security program and\nthese reports depict compliancy profiles with the majority of the OEI-developed Netware security\nstandards, as well as most of GAO\xe2\x80\x99s recommendations. At that point in time, compliance was still being\ngraded on a curve, as explained in our response to Question D.1(2) above.\n\nIn May 2002, OEI officials conducted assessments of the Agency\xe2\x80\x99s program and regional offices\xe2\x80\x99\ncompliance with OEI-developed Netware Security Standards. OEI concluded program and regional\noffices were 85.4% complaint with prescribed standards. We further analyzed these results for three\nprogram offices and three regional offices having the lowest compliance rates with the OEI-developed\nNetware standards. We limited our review to compliance with GAO recommendations and used the\nBindview reports directly related to these recommendations. Our review indicated the six offices reached\na compliance rate of 78.5% 3 with GAO recommendations. OEI officials stated that any non-compliance\nby an individual office reflected on that particular office and should not be used to judge the merit of OEI\xe2\x80\x99s\nimplementation program.\n\n\n         3\n          For GAO recommendation 95, the percentage represents the compliance rate associated with\n         the AuditCon feature enable for applicable servers, containers, and volumes, but does not\n         represent compliance with logging of GAO recommended auditing events.\n\n\n\n                                                     13\t                            Report No. 2002-S-00017\n\x0cFor the four recommendations where EPA chose not to implement GAO\xe2\x80\x99s recommendations, the Agency\nindicated they have established or planned to establish compensating controls to mitigate the associated\nrisks. We did not test the adequacy of these controls or individual implementation plans.\n\nEPA has improved network security among the regions and program offices by providing OEI-developed\nNetware standards and by monitoring most of these standards. OEI\xe2\x80\x99s standards for Netware include the\nmajority of GAO\'s Novell recommendations. However, as discussed in our response to question D.1(2),\nthese standards have not been formalized as an Agency requirement. The Agency\xe2\x80\x99s assessment of\ncompliance with these standards, as captured in January/February 2002 and in May/June 2002, shows an\nincreased overall compliance.\n\nSuggestions for Improvement: OEI should:\n   \xe2\x80\xa2\t formalize standards into Agency policy and procedures, and assign accountability and identify\n       consequences for non-compliance.\n   \xe2\x80\xa2\t perform follow-up monitoring for program and regional offices with poor compliance rates to\n       ensure their respective management take corrective action within 30 days of notification. For\n       substantive problems, planned corrective actions should be formalized under OEI\xe2\x80\x99s POA&M.\n\nPLAN OF ACTION AND MILESTONES\nTo facilitate creation of the Agency plan of action, OEI\xe2\x80\x99s TISS prepared a standard approach for\nidentifying, compiling, and tracking corrective actions. As a first step, TISS compiled a list of weaknesses\nfor each Region and Program from the following sources:\n\n    \xe2\x80\xa2\t   FY01 annual assessments,\n    \xe2\x80\xa2\t   risk assessments completed during last 18 months,\n    \xe2\x80\xa2\t   independent testing conducted on EPA\xe2\x80\x99s network-attached resources, and\n    \xe2\x80\xa2\t   security plan reviews conducted last fiscal year.\n\nTISS aggregated the list of detailed weaknesses into approximately 12 broad categories and developed\nstandardized work plans for each category. Each EPA program and region was asked to: (1) verify the\nlist of weaknesses; (2) add any additional weaknesses; (3) identify weaknesses already corrected; and (4)\nfill in dates for completing milestones of weaknesses not yet corrected. AA/RA\xe2\x80\x99s were asked to sign off\non their respective Action Plan and submit it to the CIO with an electronic copy to TISS.\n\nTISS captured the Agency\xe2\x80\x99s POA&Ms in a central project management database. TISS established a\nproject management infrastructure that will assist the Agency in consolidating the individual POA&Ms into\na comprehensive Agency action plan. A contractor, under TISS\xe2\x80\x99s direction, maintains a central database\nwith all the work plans. TISS was requiring monthly updates from each program and regional office, but\nswitched to quarterly updates after July 2002, to be consistent with OMB\'s schedule.\n\nOMB requested that IGs verify that agency POA&Ms identify all known security weaknesses. As such,\nwe randomly selected a contractor-performed review to verify that the weaknesses identified were\nincluded in the Agency\xe2\x80\x99s POA&M. We found that the Agency had not included the weaknesses identified\nin this review.\n\n\n                                                     14\t                           Report No. 2002-S-00017\n\x0cSuggestions for Improvement:\nWe believe that the collection and maintenance process needs to be modified to ensure that:\n\n    \xe2\x80\xa2\t   all known weaknesses associated with any reviews performed by, for, or on behalf of the Agency\n         are included.\n    \xe2\x80\xa2\t   all known weaknesses, whether they are associated with a component of the Agency or the\n         Agency as a whole, are included.\n\nIn addition, we believe that the process needs to include quality assurance/oversight to ensure that the\ncorrective actions reported as completed are effective. We also believe that the Agency needs additional\nfull-time staff with backgrounds in IT Security to adequately oversee the maintenance, monitoring, and\noversight of the Agency\xe2\x80\x99s POA&Ms.\n\n\n\n\n                                                   15\t                           Report No. 2002-S-00017\n\x0c'